JavaScrypt Encryption

If you've been thinking to yourself, watching the news of late, that it's really not cool for the government to monitor *everyone's* phone calls and email, because we really didn't sign on for a surveillance state, you have a few options and this entry I thought I'd look at just one of them (well, it's actually two utilities, but the work hand in glove).

If you want to go the simplest, cheapest look, have a look at JavaScrypt (not Javascript -- note the y). This is a Web-page implementation of the Advanced Encryption Standard (AES) and uses 256-bit keys. If that says nothing to you, that's OK: it's pretty darned solid encryption.

Basically, any bit of text that you want to send you can pop into the appropriate window on the JavaScrypt page, enter a key for, and press a button. You can then copy and paste the resulting encrypted text, which looks impressively mysterious.

You can do that when sending chat messages, SMS messages, and email. The one catch (and it's not a tiny one) is that you have to have agreed upon your keys (essentially, a key is a password) in advance. And if someone can eavesdrop on your messages, sending your keys the same way you send your messages will mean you are handing over all your secrets right then and there.

In this particular entry I'm going to just ignore the question of getting to a point where both you and your interlocutor both have the same secret key and there's no chance of anyone else having intercepted it. There are ways. We'll get to them.

So, if you go here you'll find a page that lets you enter a key and some plaintext (that is, your unencrypted message). Press the button and the field down below populates with the encrypted version of your message.

Important to note is that this page contains all the code necessary, written in Javascript, to carry out this task. It's running "within" the page, so to speak, so nothing is sent back to a server where it could be monitored. How do you know this for sure? Well, for one thing, you can examine the code itself--just use the view code option on your browser. For another thing, you can make your own copy of the page and in fact you can even use it when you are not connected to the Internet.

Of course, it's possible that the person who put this page together (John Walker) has deviously introduced some weakness to the encryption that makes it easy for him to decrypt messages (should be be able to intercept them). But the fact of the matter is that John Walker is a guy who's been floating around in the Internet geek community for a lot of years, has been his own man the whole time, and even though I've never had occasion to meet him, I'm quite sure he is on the up and up. And of course, you can always examine all the code yourself to look for backdoors and flaws. (Could you really find them -- probably not, unless you're really a crypto expert).

Andyway, once you've got your encrypted version, you just copy it and paste it into an email and send it off to your recipient. They take the encrypted block and paste it into their own copy of the JavaScrypt page, type in the secret password, and press the decrypt button. And life is good.

But you may make a small peep of protest at this point. Actually, two small peeps.

First, this does absolutely nothing to conceal metadata. The NSA will still know that you sent a message to this recipient. If you're sending messages to a "person of interest," you can pretty well figure you're about to be a person of interest yourself. You may not care. If you do, that's a topic for another day.

Alas, the fact that the message is encrypted may well be a red flag in and of itself, so it would be better if it wasn't apparent that the message was encrypted.

There's a fix for that as well, also provided by John Walker. The fix is simply to "encode" the encrypted message so that it's in a format that looks like "normal" words. For instance, here is this paragraph encrypted using the key "pellet" and then "stego'd" using default settings.

If you take this and work backwards, you'll get the paragraph above, returned from secrecy as if by magic. (Note in passing that "pellet" is a perfectly miserable password.)

I don't think much of anybody uses this steganography utility of Walker's, so I think it's relatively safe to assume that the NSA isn't looking for patterns of words that would be unique to this tool and thereby discovering messages with hidden encryption. But it's something to think about. And since this *is* open javascript code, you could obviously tinker with the word selection and the like to make it use different vocabulary. But that's a project for another way.

A simpler way to make the weirdness of the word selection less evident to scanners is to embed the section in a much longer text, at some pre-ordained offset.

I think JavaScrypt would be a pretty good approach if you needed to share something very sensitive with someone you were working with. It's not workable at all as a general way to make sure all your email is encrypted, for the obvious reason that you have to exchange passwords with the person on the other end of the exchange. And for ordinary messages that wouldn't need to be protected, it's just far too much trouble.

As far as passwords go, by the way, you might want to use a system to make it easy to change passwords after each message. Probably the best way to do this is to agree on a certain book, then pick a line in the book which would be the password for the first message. After that, you'd use the next full line of text for each subsequent password. Don't use an obvious book like the Bible. Indeed, that's about the worst choice you could make. Obviously there are inherent limits to this approach, but for special situations, it can work pretty well.